ISS X-Force Database: pppd-race-condition(9738): pppd daemon race condition could allow an attacker to gain elevated privileges

pppd daemon race condition could allow an attacker to gain elevated privileges

pppd-race-condition (9738)

Medium Risk

Description:

The pppd daemon in multiple BSD implementations is vulnerable to a race condition that could allow a local attacker to gain elevated privileges. pppd daemon is one of the implementations of the Point-to-Point Protocol (PPP). The pppd program could open a specified file, record permissions and change the file permissions on a system file. This vulnerability could allow an attacker to acquire write permissions to system files and gain elevated privileges on the system.

Platforms Affected:

FreeBSD, FreeBSD 4.0
FreeBSD, FreeBSD 4.1
FreeBSD, FreeBSD 4.2
FreeBSD, FreeBSD 4.3
FreeBSD, FreeBSD 4.4
FreeBSD, FreeBSD 4.5
FreeBSD, FreeBSD 4.6
NetBSD, NetBSD 1.4
NetBSD, NetBSD 1.4.1
NetBSD, NetBSD 1.4.2
NetBSD, NetBSD 1.4.3
NetBSD, NetBSD 1.5
NetBSD, NetBSD 1.5.1
NetBSD, NetBSD 1.5.2
NetBSD, NetBSD 1.5.3
NetBSD, NetBSD 1.6 beta
NetBSD, NetBSD CURRENT
OpenBSD, OpenBSD 3.0
OpenBSD, OpenBSD 3.1

Remedy:

For FreeBSD 4.0 through 4.6:
Apply the patch for this vulnerability, as listed in FreeBSD Security Advisory FreeBSD-SA-02:32. See References.

— OR —

As a workaround, remove the suid bit from the pppd binary: # chmod u-s /usr/sbin/pppd

For NetBSD:
Refer to NetBSD Security Advisory 2002-010 for upgrade or workaround infomration. See References.

Consequences:

Gain Privileges

References:

FreeBSD Security Advisory FreeBSD-SA-02:32.pppd, exploitable race condition in pppd at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:32.pppd.asc.
Full-Disclosure Mailing List, Mon Sep 16 2002 - 21:12:48 CDT, symlink race in pppd at http://archives.neohapsis.com/archives/fulldisclosure/2002-q3/1003.html. (From Full-Disclosure Mailing List archive)
BID-5355: Multiple Vendor BSD pppd Arbitrary File Permission Modification Race Condition Vulnerability
CVE-2002-0824: BSD pppd allows local users to change the permissions of arbitrary files via a symlink attack on a file that is specified as a tty device.

Reported:

Jul 29, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page